Authentication, authorization, and accounting are three terms sometimes referred to as "AAA." Together, these items represent a framework for enforcing policy, controlling access, and auditing user activities. These three items are critical for security.
At most, basic authentication is a method of identification. It grants access to physical or logical resources based on someone's identification. Individuals typically identify and authenticate themselves in one of these methods: something you know, something you have, or something you are.
PasswordsSomething You Know
The use of computer passwords goes back to the early days of computing. Way back then, passwords were short, typically seven characters or fewer. Passwords were kept short to make it easier for people to remember and because they were easier to enter. Over time, short passwords presented a series of problems, such as users using words that were easy to guess and using repeating letters or numbers such as 411. Short passwords are vulnerable to shoulder-surfing attacks because they are easy to memorize and steal.
Over time, these insecurities led to the implementation of more robust passwords. Controls were implemented that forced users to change passwords at regular intervals, and new passwords were checked to make sure they were different. Passwords that didn't meet complex requirements could be screened and rejected. The goal of these changes was admirable, but usually, the end effect was that users would write down their passwords, put them under the keyboard, or place them on a Post-it note attached to the monitor. So, although password security has increased, passwords remain the weakest form of authentication.
What Is Your Password Worth?
Maybe you thought with so much emphasis placed on security over the past few years that people are doing more to secure and protect their passwords. A survey performed at a security conference in Europe found that 71% of those polled were willing to give up their passwords for a piece of chocolate. Although most stated that they would not give their passwords to someone calling on the phone, others said they would give their passwords to their bosses. For more on this story check out www.securitypipeline.com/news/18902074.
TokensSomething You Have
Tokens come in two basic types: synchronous password tokens or asynchronous password tokens. Password tokens can be purchased as smart cards, USB plugs, key fobs, or keypad-based units. These devices generate authentication credentials that can be used as one-time passwords (OTPs) and for two-factor authentication.
Tokens are a great way to implement one time passwords. One-time passwords are used only once and are valid for only a short period of time. One-time passwords are implemented by using tokens that display the time-limited password on an LCD screen.
By combining tokens with passwords, strong authentication can be achieved. Just think of ittwo-factor authentication makes it much more difficult for unauthorized individuals to gain access. Anyone who has a safety deposit box can attest to this. The bank will require you to authenticate yourself with a driver's license or account number, and you'll also be required to possess a key. Both forms of authentication will be required to access the safety deposit box.
Tokens that are said to be synchronous are synchronized to an authentication server. Each individual pass-code is valid only for a very short period of time. Even if someone is able to sniff the token-based password, it would be valid only for a very short period of time. After that small window of opportunity, it would have no value to an attacker. RSA's SecurID and VeriSign's authentication token are both considered synchronous tokens.
Asynchronous token devices are not synchronized to an authentication server. These devices use a challenge-response mechanism. CiscoSecure ACS can function in asynchronous mode. These devices work as follows:
x Port Authentication
802.1x is a good example to show how many organizations are now implementing stricter authentication. Although 802.1x can be used on wired networks, it's widely used on wireless networks. It has been implemented to address some of the inadequacies of wired equivalent protection (WEP). 802.1x provides a framework for port-based authentication.
To provide a standard authentication mechanism for IEEE 802.1X, the Extensible Authentication Protocol (EAP) was chosen. EAP is defined in RFC 2284. When used with wireless devices, it's referred to as EAP over LAN (EAPOL). With 802.1x implemented, EAPOL traffic passes through the switch. After the client has been authenticated, normal traffic can pass through the switch. Port-based authentication is great because no one can access your network until they have been authenticated.
BiometricsSomething You Are
Biometric systems identify individuals by measuring some part of a person's physiology or anatomy. Biometric systems are known to be the most accurate of all types of authentication. Although biometrics may sound difficult, these systems have made a lot of progress in the past decade. There are many types of biometric systems, including iris scan, voice recognition, fingerprint, and signature dynamicsjust to name a few. Regardless of which method is used, they all work basically the same way. Users must first enroll in the system. Enrollment is not much more than allowing the system to take one or more samples for later comparison. Then, at a later time when a user requests to be authenticated, the sample is used to compare to the user's authentication request. A match allows the user access but a discrepancy between the two causes the user to be denied access.
Two important factors that must be examined when considering various biometric devices is the false acceptance rate (FAR) and the false rejection rate (FRR). The FAR, which is also called a type II error, is when the biometric system accepts users who should be rejected. The FRR, which is also called a type I, occurs when the biometric system rejects legitimate users. The point at which the FRR and FAR meet is known as the crossover error rate (CER). Although there are many things to consider when deploying a biometric device, this is one of the more critical items. The lower the CER, the more accurate the system. Besides accuracy, the big advantage of a biometric system is that you cannot loan a fingerprint to someone else, you cannot forget it, and it makes it hard for someone to steal your authentication.
Authorization is the next natural step following authentication. Authorization should be tied to policies as a control of what commands and processes a user is authorized to run and perform. Three ways in which authorization is commonly controlled are mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC).
Until the early 1990s, most systems used either MAC or DAC. Both models are defined in the Trusted Computer Security Evaluation Criteria (TCSEC). The MAC model is static and based on a predetermined list of access privileges; therefore, in a MAC-based system, access is determined by the system rather than by the user. The MAC model is typically used by organizations that handle highly sensitive data (such as the DoD, NSA, CIA, and FBI). Systems based on the MAC model use sensitivity labels. Labels such as top secret, secret, or sensitive are assigned to objects. When a user attempts to access an object, the label is examined for a match to the subject's level of clearance. If no match is found, access is denied.
The DAC model is widely used commercially. Microsoft Windows NT, Windows 2000, and Windows XP all have DAC capabilities. You're probably familiar with DAC because it is similar to the control you see in a peer-to-peer computer network. Each of the users is left in control. The owner is left to determine whether other users have access to files and resources. DAC is a highly decentralized approach to access control management. It functions by means of access control. If you've ever assigned read, write, or full control privileges on a folder or drive, you've seen DAC at work.
RBAC is the newest of the three models. It wasn't developed until 1992. RBAC is unlike DAC and MAC because everything centers on the role of individual users. Rights are assigned to users based on their roles in the organization. The roles almost always map to the organization's structure. Role-based access control models are used extensively by banks and other organizations that have very defined roles. Windows 2003 has moved aggressively toward RBAC because it maps better to the administrative model used for access control that most organizations use. By assigning access rights and privileges to a group rather than to an individual, the burden on administration is reduced.
Accountability gives administrators the capability to track what activities users performed at specific times. It's also the primary way to see what services were used and how much system resources were consumed by individual users. Accountability is carried out by performing auditing and developing systems to create and store audit trails.
Audit trails help reconstruct events in case of problems, intrusion detection, or incident response. Audit trails are of little value without individual accountability. Sufficient authentication must be used to make sure that individuals are held accountable for their actions. Auditing and monitoring must be performed in a way that is consistent with applicable laws and regulations. For example, Computer Emergency Response Team (CERT) recommends that all users be informed by means of an acceptable use policy or login banner as to what is or is not acceptable use for the computer system. If you fail to inform users and then determine inappropriate activity, it may be difficult to prosecute violators. Legal cases have occurred in which defendants have been acquitted of charges for tampering with computer systems because no explicit notice was given prohibiting unauthorized use of the computer systems involved. Other cases have occurred where organizations have been taken to court and sued for allegedly violating an individual's privacy because no notice was given regarding authorized monitoring of the user's activities on a computer system.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template